Funding remains steady in many systems for now, but we will be, and should already be, fighting against perceived irrelevance that will increase as digital subscription services allow people to curate massive personal media and information collections with great ease.

Library Books

Book stores, large or small, aren’t analogous to libraries because you pay for every single purchase from a store. Subscription services are far more similar to a library because for a fee, just as you pay taxes to support the library, you can quickly access a media library, and there’s likely not waiting for the must-have title.

To which the Publib chorus responded ~

That said, pay-fer services, like that described here or Netflix or even big book stores, are no threat to libraries. They certainly haven’t caused reduced funding for libraries. ~ DARRELL COOK – Richardson (TX) Public Library

The fact remains that libraries must evolve. We must change the perception that, once people can easily check out books, audio books, and find information quickly and easily using their smart devices, that libraries will no longer be needed. What will or what are libraries morphing into? What will be our new/revised role in community when it is no longer “reading advisor”? How will City Councils and State Legislatures begin to view us as “essential” and not as a place to begin cutbacks? ~ Beth Carlberg -Lubbock Public Libraries

This very topic was the subject of the Infopeople webinar, “Libraries in a Post-Print World,” held yesterday, September 13. I recognized several PubLibbers’ names among the attendees. The webinar archive is here: http://infopeople.org/training/libraries-post-print-world ~ Nann Hilyard the library in Zion, Illinois

Amazon is a singular corporate entity. Libraries are at best an aggregate of like-minded interests loosely, yet passionately bound together by a system of professional ethics. Like politics, all Libraries are local. So, can we really say that Amazon is competing with any individual Library or are Libraries collectively poised to compete with Amazon?

I know that it takes a bit for new programs to work the glitches out but we have some pretty avid readers who have been waiting and watching for the Kindle app to appear. I want to make sure I can help them when they appear on our doorstep. ~ Jan Cole – Duncan Public Library

Would anyone be willing to share the percentage of your annual materials budget that you allocate for e-books, or just the amount you budget for
e-books? What is your population? – Diane Greenwald -Warwick Public Library (Ocean State Libraries)

His and Her Kindles

As a proud owner of His and Her Kindles, I reviewed the Ocean State Libraries
consortium offerings for Kindle. The number of titles currently available for the 600,000+ card holders is: 4,046. There is essentially no depth to the collection at this time nor any real value in searching it. In contrast – using the no-contract free 3G access built into the Kindles, I can browse and sample over 1 million titles.

– The deal with Twentieth Century Fox means additional video titles are now available for Amazon to stream to all sorts of device – providing an on-demand library of over 100,000 titles.

How many libraries can say they are able to provide the equivalent access?

-The new price point for Kindles – as low as $79 dollars with WiFi or $149 with free 3G means many, many more people will be able to afford Kindles.

Amazon Prime is $79 a year. So, for a total investment of about $150, you have WiFi, and thousand of books and videos available – represent a big price drop from just a few months ago. And, the new Kindle Fire may potentially become the dominant streaming media device.

Publib contributors are not without ethical concerns over these changes –

… that kind of seamless integration across your Amazon account has interesting (i.e. potentially alarming) implications about just how much Amazon is keeping track of its customers’ relationships with their public libraries. I’m not sure what I think about that yet. Does anyone have a read
on that yet? ~ Will Porter – Dennis Memorial Library

… but I did note yesterday that your library books are listed in your Kindle account information, just like books you purchase, and can be sent to any device you own from there. Several of our patrons have already commented on the service on our FB page – one or two even praised how easy it is, so that’s a nice change… ;)~ Robin Hastings – Missouri River Regional Library

So they’re definitely paying attention to what patrons are checking out and using that information for marketing. I wouldn’t be too surprised if they shared that information with others. Part of me wants to make a big point of letting patrons know that their Kindle checkouts aren’t anonymous, but I don’t really know that patrons care about that as much as I do. I know that while my librarian self finds it worrying my patron/customer self just doesn’t care. ~ Andrew Fuerste-Henry Dubuque, IA

But is Amazon competing with Libraries or are Libraries competing with Amazon?

Library Security and Insecurity – A Brief Risk Assessment

Anne Frontino of the Haddonfield Public Library in New Jersey queried the PubLib Listserve about privacy and possible misuse of library barcodes on smartphones remarking:

Our library is considering allowing patrons to use barcodes scanned onto their smart phones to check out books. … We have only had a few instances of patrons trying this method of checking out items, but we feel that there may be some privacy or other misuse issues lurking.

It was obvious that there is no universally accepted standard for securing library user information, yet privacy is a cornerstone of libraries, library ethics, and the library profession. In fact, a privacy guarantee may be the one thing in the information age that sets libraries apart from other massive information resources. It may be the singular added value that provides validation of libraries as a public service.

Library records and library use are afforded privacy protection by statute and / or published opinions in the fifty States and the District of Columbia. Many states have enacted Security Breach notification laws and Data Disposal laws that safeguard privacy. Library user privacy is also championed by the American Library Association Code of Ethics specifically through Article III:

We protect each library user’s right to privacy and confidentiality with respect to information sought or received and resources consulted, borrowed, acquired or transmitted.

These statutes, ethics and opinions can create formidable barriers to unlawful, unwarranted electronic discovery. However, dramatic changes to the traditional library information environment have led to a general failure of libraries to provide security of library records and transactions and fulfill professional and statutory guarantees of privacy. As a result of those dramatic changes, library usage represents a massive opportunity for legitimate and illegitimate electronic discovery.

In 2009 the HITECH Act was passed to specifically address privacy of health records in the United States in conjunction with HIPAA. The process promulgated for securing privacy of health records could be effectively applied to safeguard library records – the technology is the same and the security issues are similar. Libraries and health care providers are both required to safeguard the privacy of user records. Health care records and library user records are both defined as protected information resources. But, unlike libraries as a result of HIPAA and HITECH the custodians of health care records must now undergo a risk assessment to identify how breaches of privacy may occur.

Enigma Encryption Device

If risk assessments are not being conducted by libraries, how well are Libraries securing user information? Thousands and thousands of library records have been compromised and hacked. Nothing mandates risk assessment of library privacy and information security. Yet, the laws and opinions in all 50 states and DC define library user information as private and protected.

What is the ongoing risk of exposing library user information? Huge. Three Library systems are reviewed here for the most basic levels of information security for users – Encryption, Authorization and Authentication and Agency of ownership applied to Library Catalogs and Websites.

Sacramento Public Library – Sacramento, California

The Sacramento Public Library serves over 600,000 users with 28 libraries. According to Manya Shorr, the SACPL also allows use of un-authenticated barcode images on smartphones as an alternative to a library card.

Website – The SACPL Employs Google custom search – an outside agency not under control of SACPL which tracks and stores user information

Sacramento Public Library Risk Assessment – Fail

Non-login catalog searches appear to be transmitted in the clear. Login catalog use and non-login catalog use is tracked by Google – a third-party not controlled by the SACPL. Searches of the SACPL website employing Google custom search is third-party data collection not controlled by SACPL. In addition, risk of in-person identity theft is compounded by reliance on staff to authenticate based on suspicion. How is reasonable suspicion quantified and qualified with 28 libraries and 600K users?

Ocean State Libraries – (library consortium) – Rhode Island

The Ocean State Libraries (OSL) consortium (formerly CLAN) includes 49 public libraries of Rhode Island and over 500,000 user records. In 2003 a long-term employee of the Warwick Public Library – the home of the Ocean State Libraries offices – was charged with stealing library user identity to obtain credit cards. Each employee with access to the circulation modules of the consortium is able to access library records and personal information for other users of the integrated library system. So, at the time when charges were filed all of the patron records for all of the libraries were potentially breached. Subsequent meetings of the OSL voting membership – library directors – discussed some of the security concerns of retaining drivers license numbers and social security numbers within the database. Some consideration of standardizing security of data was profferred. Arguments were made that the easiest thing to do was not to require PINs or other authentication and leave data collection and retention as a decision at the local level.

Encryption – The OSL catalog uses https SSL to encrypt login to user accounts. The OSL does not employ encryption for non-login catalog searches – all searches appear to be transmitted in the clear.

Authorization and Authentication – The OSL catalog does not require authentication of user accounts through a PIN – merely knowledge of a simple numeric 14 digit bar code.

Agency – It is unclear how information is shared with external agents – however, patron data is shared throughout the consortium and is not compartmentalized.

Website – OSL website user information is shared with and tracked utilizing Statcounter.com – a service out of Ireland.

Agency – User information is shared with and tracked utilizing Statcounter.com – a third party service apparently managed out of Ireland. Statcounter script is rendered as invisible, secreted tracking without informing visitors of its use within the website code – script from OSL website :

Ocean State Libraries Risk Assessment – Fail

No authentication of library catalog users – creating high risk of exposing user data. Non-login catalog searches appear to be transmitted in the clear without encryption. Use of website employing Statcounter.com aggregation of user data is third-party data collection by an agency not controlled by OSL – with servers storing data about user sessions apparently located in Ireland. Although security of patron records has been breached in the past, compartmentalization of records does not appear to have taken place.

The Library Connection – (library constorium) – Connecticut

Janus

The Library Connection serves 27 public and academic libraries in the State of Connecticut. The Library Connection librarians achieved some notoriety within the world of librarianship from their challenge to a National Security Letter and willingness to go to the mat along with the ACLU to defend the privacy of their users against law enforcement in John Doe v Gonzales. How does this library system employing librarians willing to secure and protect patron information from law enforcement review face user information security in general?

Encryption – The login connection to the Library Connection catalog does not employ https SSL.

Authorization and Authentication – A name and PIN or a barcode number and PIN are required for access to library user record. However, since that information is apparently transmitted in the clear instead of encrypted using https SSL – identity theft and harvesting of PINs with names and PINs with barcode numbers could be easily accomplished.

Information on non-Registered Library Users: No information is collected on library users who do not register as patrons. Some member libraries may collect the names of those who wish to use library computers to access the Internet. We encourage these libraries not to retain this information longer than three days.

Website – Immediately upon entering the Library Consortium website, user data is shared with and tracked by Google analytics

The Library Connection Risk Assessment – Fail

No apparent encryption of library users logins. Non-login catalog searches appear to be transmitted in the clear. Use of website employing Google analytics is third-party data collection – an agency not controlled by the Library Connection – which appears contrary to the Library Connection policy on non-registered users.

Risk Assessment Summary –

The ongoing risk to library user privacy is huge. This brief survey only touches on a few of the many current insecurities of library user information. Insecure user privacy practices represented in this brief risk assessment affect the privacy of over one million library users – just at these three library systems. The privacy standards outlined by Article III of the ALA Code of Ethics may be comprised for convenience even by large library systems. The ongoing erosion of user privacy in libraries to faciliate ‘ease of use’ by librarian and patron without regard to standard information security practices and ethics threatens the foundation of libraries as viable professional public services.